Free Government IT NewsletterFierceGovernmentIT tracks the latest technological developments in the U.S. government. Federal employees and IT executives rely on our free thrice weekly email newsletter for news on:

NIST revises cybersecurity training special publication

The National Institute of Standards and Technology released Wednesday a public draft of a special publication governing federal agency cybersecurity role-based training.

In the draft – NIST SP 800-16 R. 1, second draft, version two (.pdf) – NIST notes that training differs from education, with the latter being led by the National Initiative for Cybersecurity Education. The NICE workforce taxonomy released in 2011 provides a framework for the education of cybersecurity workers, the draft says, whereas this NIST special publication focuses on how all federal workers will ensure government is information is secure.

"For example, a pilot is educated on the aerodynamics of an aircraft, and trained on how to fly the aircraft," it adds.

Nor is information security the purview of just cybersecurity workers. "Each individual that owns, uses, relies on, or manages information and information systems must fully understand their specific security responsibilities," the draft states.

Training should be tailored to the roles that workers have in federal agencies, it adds – and roles "are not simply job titles."

It describes "for illustrative purposes" three competency levels, ranging from basic to expert. Agencies should construct an enterprisewide training program by beginning with a need assessment to identify gaps in the current training program or identify roles within functions which require training. The second step is to identify knowledge and skills for which workers need training. Then, the two steps are correlated along with a determination to what competency level individuals in roles require training toward – at which point training should occur followed by an evaluation.

This being a NIST document, the draft provides a catalog of knowledge and skill categories broken down into individual elements – for example "Skill in security impact analysis of changes to the configuration" within the "Configuration Management" category. It also provides sample matrices for role-based training categorized according to functional and role areas. For example within the "operate and maintain" function, there could be the role area of "network services" broken down into 11 different roles, such as "network administrator" or "continuous monitoring executer."

The draft proposes matching each of those roles to knowledge and skills, categorized according to competencies – All, Manage, Design, Implement and Evaluate.

Comments

Join 23,500+ InsidersSIGN UP FOR OURNEWSLETTER

FierceGovernmentIT tracks the latest technological developments in the U.S. government. Join more than 23,500 decision makers and IT executives who subcribe to our free thrice weekly email briefing. Sign up today!

THE LIBRARY: EBOOK

Healthcare data can be infinitely valuable, but its worth largely depends on the technological capabilities used to analyze it. This eBrief focuses on how federal IT can support and advance the mission of health research. Download today!